Cybersecurity and the federal government, part 2

Continuing on from my previous post, what is the case for having a government-level agency responsible for cybersecurity? We've looked at who should be responsible for keeping the Internet clean, and the current candidates that I have disqualified so far are users themselves and ISPs. Who else is there?

Spammers should do it.

It logically follows that if spammers and malware authors are the ones responsible for getting our systems infected, then they ought to be the ones responsible for cleaning them up. Once caught, instead of fining the spammers, why not get them to engage in a massive operation to disinfect and undo all the damage that they have done?

Of course, this would never work. For one, spammers are like criminals. If someone breaks into your place and steals a bunch of stuff and breaks a bunch of more stuff, it's almost never the burglar that has to replace it. No, it's either your insurance company that picks up the tab, or in some cases, it's you who has to do it (the exception, of course, is if you are a financial company and the government determines that you are too big too fail, then the taxpayer gets to clean up the mess). Spammers don't clean up messes, they cause them.

Also, even if spammers were willing to clean up the mess, it's doubtful they could even do it. Many spammers don't have the technical expertise necessary to do it. They just download software available on the web that enables them to spam. Some may be experienced technical users, but most are not. They don't understand protocols and operating system vulnerabilities in technical detail and couldn't undo any damage they had done even if they wanted to.

Finally, let's be perfectly honest here: spammers would never consent to cleaning up the Internet from the malware infested plague that it is. They are there to cause havoc, not organize it. If the greater good were their primary motive it's doubtful they'd have entered the business to begin with.

Government should do it.

And that brings us to the final option. Cybersecurity should be managed, or overseen, by the federal government.

Why the federal government? There are a couple of reasons. First, only the government has the ability to put the financial resources necessary behind a system of keeping the health of the Internet secure. ISPs and individual users don't have the expertise or financial motivation required to do it. Government can recruit bright individuals to create a program of cyber-health monitoring and they have access to the resources necessary to implement such a program (just imagine if that $800 billion were being spent on cybersecurity). Imagine if the government has a program where users could regularly bring their PCs in to be disinfected, or sent notices to home users advising them of a time and place where they can have their system cleaned up.

And let's face it, government doesn't have to have a profit motive to support something. The government supports lots of programs that otherwise lose money in the name of the public good.

Furthermore, government has the legal authority to implement solutions that might otherwise be allowed to live on in the ether for years. For example, in terms of email authentication, we have SPF, SenderID, DomainKeys and DKIM. There is still no official standard on what should be supported. Industry has advanced them nicely and many of the good email providers use one or a combination of multiple ones of these. However, there are still plenty of domains out there that do no authentication at all. In the email industry, we all say that it'd be nice if every sender used some sort of authentication protocol. What if it was a legal requirement, issued by the government, that you had to do at least one kind of authentication (take your pick)? Hmm... Authentication would certainly be a good twist in the fight against spam.

Finally, while I could go on about the merits of central government management of cybersecurity, there are others who would argue against the expansion of the federal government. To those of you who would voice this, yours is a sympathetic voice to me. I agree with you; my Objectivist leanings make me want to keep government as small as possible. However, the pragmatic leanings in me point out this one fact - if government doesn't do it, who will?

Seriously, who else will do it? Nobody else will and that is the problem. Nobody has the resources necessary or the central oversight or the legal authority required to organize something like this. In the meantime, the problem of spam, malware and botnets gets worse.

Lest you think that I want more government expansion, consider this: Estonia was the victim of cyberattacks in 2007. It threatened to shut down their infrastructure. Consider the possibility of a large, co-ordinated cyberattack on the United States. If the Internet infrastructure in the US were attacked, that would be a credible national security issue. Shutting down major banks or the US Department of Defense could cause serious economic or military damage. Thus, cybersecurity is not just about keeping the spam/botnet problem under control, the case could be made that it is also a matter of national security.